UK Surveillance Bill Becomes Law

A controversial U.K. "emergency" surveillance bill has become law, just seven days after being introduced to Parliament. But a privacy rights group has already promised to challenge the new law in court.

The Data Retention and Investigatory Powers Bill was first introduced to Parliament by the British government on July 10. The House of Commons fast-tracked the bill July 15, moving it to the House of Lords. On July 17, the Lords agreed to not add any amendments - which would have returned the bill to the Commons for further debate - and approved the bill without a vote.

The bill received royal assent on July 17, thus making it law. The new Data Retention and Investigatory Powers Act requires U.K. telecommunications providers to store information relating to their customers' e-mails, texts and calls for 12 months for potential access by law enforcement and intelligence services.

Going-Dark Warning

The U.K. government pushed for rapid passage of the bill, owing to the European Court of Justice ruling in April that an EU directive requiring blanket - as opposed to targeted - data retention violated Europeans' right to privacy and protection of their personal information. Because the U.K. data-retention regulation was based on that EU directive, legal experts say it left U.K. telecommunications providers in a gray area. In particular, providers worried that by continuing to collect information relating to customers' e-mails, texts and phone calls, they were violating EU law.

Government officials offered dire warnings about what might happen if the bill failed to pass. "We face the very prospect of losing access to this data overnight, with the consequence that police investigations will suddenly go dark and criminals will escape justice," Home Secretary Theresa May told Parliament July 10.

But numerous legal experts and privacy rights advocates questioned the government's move to get the surveillance bill passed in just one week. "We fundamentally disagree with the lack of consultation and the speed with which the bill will be rushed through," the World Wide Web Foundation said in a statement. "Full and frank public debate that informs the legislative process should have occurred by now - after all, these issues have been making headlines for over a year and the relevant ECJ judgment was delivered in April."

Multiple legal and privacy experts have likewise criticized the way in which the coalition government sidestepped related debate. "What DRIP represents is ... an utter failure to engage in an open, mature, public debate about the clash between privacy and security online," says University of Cambridge law researcher Julia Powles in a Guardian editorial. "The debate shouldn't be between blanket, universal data retention and no retention at all, as it was misleadingly cast. It should be about retention that is necessary and proportionate."

Minor Parliament Resistance

Some 49 members of the House of Commons attempted to make the bill expire in 2014, but lost that bid. It's now due to expire in 2016, and the government has promised to pursue a more big-picture review of the country's surveillance legislation, including the Regulation of Investigatory Powers Act, before then.

Before the bill was approved, one of the most technology-literate members of the House of Lords, Lastminute.com co-founder Martha Lane Fox, warned Parliament that the legislation threatened to permanently expand the surveillance state. "Addressing the ECJ ruling and planning this bill far earlier could have been an extraordinary opportunity to instigate a wide-ranging and sophisticated review about the future, a review which carefully considered the implications of data collection, the role of surveillance, and the trade-off between privacy and security," she said.

"Instead, we are being catapulted into legislation that builds on the badly understood and arguably dysfunctional RIPA legislation," she said. "This bill sets a precedent from which, even with reviews and a sunset clause, I believe it will be hard to row back."

Legal Challenge Threatened

The group says it isn't against government surveillance. But it decried blanket data-retention practices, arguing that the government should adopt more targeted measures. "The government is portraying the choice as retention of all data or no retention at all," the organization's Jim Killock and Elizabeth Knight say in a blog post. "This is a false dichotomy."

If the Open Rights Group challenge moves forward, it means the law could one day face scrutiny by the EU Court of Justice or the European Court of Human Rights. "But either a national court must send questions to the Court of Justice of the European Union or all national remedies must be exhausted before going to the European Court of Human Rights," Steven Peers, a professor of EU law and human rights law at the University of Essex in England, tells Information Security Media Group.

In the interim, U.K. government officials now have a blanket data-retention law on the books.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;